Operationalising DORA compliance

It's all about asking the right questions ...

You understand the legislation, you know why it's being enforced.

Now, you need proof points to guarantee your organisation complies with these new regulations.

David Thomas, Head of Cyber Resilience at ITHQ, is joined by guest experts to help you fully prepare for DORA.
Watch the full video series

Full agendas: 4 x 30-minute sessions that will ensure your team is on track for compliance in January ...

Learn More
The 4 domains of DORA compliance

DORA in its most simple terms. If you have these four key areas covered, you will be in great shape to comply ...

Learn More
Streamlining compliance

CIS Critical Security Controls provide a recommended framework that can smooth your path to compliance ...

Learn More
Third party security checks

Every business is a link in a chain. Where is your weakest link? What can you do to strengthen your chain?

Learn More

DORA webinar series

Everything you need to operationalise your compliance process

You know the directive and your teams are busy. But busy does not mean compliant. Now is the time to ask the right questions to see for sure how ready you are for the auditors.

Your host, David Thomas, Head of Cyber Resilience at ITHQ, is a highly qualified and experienced CISO holding (ISC)² CISSP, ISO 27001 Certified ISMS Lead Implementer, CISA Certified Information Systems Auditor, and SABSA Chartered Security Architect Foundation (SABSA-FCP).

Using the CIS Critical Controls as a guide and his experience as an auditor, David helps you navigate the four key areas of compliance, delivers practical knowledge and advice to ensure you have the reports, access logs and other vital proof points you need ahead of January 2025.

The videos are now available on demand via the registration pages.

1. Access Control Management

Who's on your networks, what can they see and what can they do?

Guest speaker: privileged access management specialist, Chris Dearden, from Delinea.

● Inventory and control: enterprise assets

● Inventory and control: software assets

● Account management

● Access control management

Aired 15th October 2024. Complete the form on the registration page via the link below to watch on demand.

2. Vulnerability Management

Where are your weakest points, how do you find them and how do you fix them?

Guest speaker: Scott Nursten, CEO, ITHQ

● Continuous vulnerability assessment

● Audit log management

● Penetration testing

Aired October 16th. Complete the form on the registration page via the link below to watch on demand.

3. Network Management, Security & Maintenance

Is your network operating efficiently, is it secure and how do you maintain it?

Guest speaker: Head of Hybrid Cloud, Nik Grove, ITHQ.

● Secure configuration enterprise assets and software

● Network infrastructure management

● Network monitoring and defense

● Application software security

Aired October 17th. Complete the form on the registration page via the link below to watch on demand.

4. Data Resilience

How can your data be attacked, how far can the attack go and what happens if your data gets wiped?

Guest speakers: Nick Brayne, Cyber Insurance specialist from Sutton Winson and Nik Grove, Head of Hybrid Cloud, ITHQ

● Email and web browser protections

● Malware defenses

● Data protection

● Data recovery

● Incident response management

Aired October 18th. Complete the form on the registration page via the link below to watch on demand.

DORA: the 4 domains to compliance

Anticipate, withstand, recover, evolve

Financial services firms generated 12% of the UK's economic output in 2023.DORA is an EU regulation that will make this critical sector more resilient to cyber attacks by reducing risk and improving governance.

The four domains of DORA that must be demonstrated and evidenced are:

● ICT risk management and governance

● Your system for incident response and reporting

● Your protocol for digital operational resilience testing

● Your third-party risk management

Information sharing is recommended as well.

ICT risk management & governance

Strategise security updates to ensure budget is allocated and to eliminate knee-jerk spend.

Incident response & reporting

Create a process that spans discovery, response and reporting of an incident and share it.

Digital operational resilience tests

Scenario-based testing is critical. Face the worst cases regularly so that you are fully prepared.

Third-party risk management

Verify compliance and security credentials of all third party providers. Review annually.

Streamlining compliance

The Centre for Internet Security 18 Critical Controls

This established, recommended framework can guide your team efficiently to demonstrate and evidence how you cover critical areas of data security.

Implementation groups

IG1 Essential cyber hygiene for SMEs with limited IT and expertise

The definition of essential cyber hygiene, IG1 represents a minimum standard of security for simple-structure organisations. Data sensitivity is low. Gives defence against broad, non-specific attacks.

IG2 Medium cyber security for mid-size businesses with complex needs

For businesses managing IT infrastructure across multiple departments with differing risk profiles, IG2 incorporates IG1 and helps enterprises with increased operational complexity reduce risk further.

IG3 Expert security for businesses handling publicly sensitive data

IG3 incorporates IG2 and IG1, helping firms with expert IT security teams secure sensitive, confidential data. Successful attacks could significantly harm public welfare.

Are your service providers DORA compliant?

Certs, security and processes

Adopt a stance of zero trust and zero assumption when it comes to managing the security of your supply chain. Checking credentials such as ISO 27001, ISO 9001 and Cyber Essentials Plus is always a good starting point.

The National Cyber Security Centre (NCSC), in partnership with the Centre for the Protection of National Infrastructure (CPNI), stress the importance of dynamic, proactive strategies:

1. Risk Assessment and Protection Prioritisation

Begin by developing an exhaustive understanding of your supply chain. Evaluate the sensitivity of your operations and data access points to establish who your direct and indirect suppliers are, along with assessing their security postures.

The necessity for tight security measures becomes apparent in ensuring that suppliers uphold standards compatible with yours. Documentation of these aspects forms the backbone of creating risk profiles and defining stringent data protection standards expected from all parties involved.

2. Establishing Control, Facilitating Communication, and Offering Support

With a comprehensive perspective of the supply chain's structure, pinpoint potential vulnerabilities and direct your efforts on mitigating these weak points. Frequent evaluations reveal patterns and dependencies that may necessitate diversification of your supplier base to reduce concentrated risks.

Communication about your security expectations and the repercussions of non-compliance must be clear to every supplier. Leading by example, foster a culture that underscores the significance of security and facilitate mechanisms for managing and mitigating incidents.

3: Validation and Assurance

Confidence in your strategies is mandatory, and so is their validation. Effective contract management ensures that security clauses, like those requiring Cyber Essentials Plus or ISO 27001 certification, are always current and relevant.

Watch for extended, unchecked contracts, which can become obsolete as security paradigms shift. Introduce clauses like the right to audit, encouraging mutual compliance and regular revisions among your partners.

4: Continuous Improvement and Adaptation

As the business environment and potential threats evolve, so should your strategies and those of your partners. Promote an environment where continuous improvement is both encouraged and supported, aligning with strategic goals which enhance competitive prowess and ensure resilience.

Solidifying supply chain security is a collective responsibility. It involves creating synergetic partnerships based on shared values and continuous dialogue, ensuring all nodes within the chain are robust enough to withstand and adapt to the challenges posed by modern cybersecurity threats.

Want to know more? Let's talk.

Contact Us